URL: https://github.com/freeipa/freeipa/pull/837
Author: frasertweedale
Title: #837: ca-add: fix permission issue
Action: opened
PR body:
"""
The ca-add command pre_callback uses ldap.can_add() to check whether
the user has permission to add CAs. Alas, the GetEffectiveRights
control used by ldap.can_add() doesn't correctly interpret ACIs with
'targetfilter' constraints, and returns a false-negative for
non-admin users, even when they have the 'System: Add CA'
permission.
To work around this, add the CA object to FreeIPA before attempting
to create the CA in Dogtag. If the CA creation in Dogtag succeds,
the user then updates the FreeIPA object with the Authority ID and
other authoritative data returned by Dogtag. If the CA creation in
Dogtag fails, the user cleans up by deleting the newly-created CA
object from FreeIPA.
This modified procedure ensures that the user certainly has the
'System: Add CA' permission before the CA creation in Dogtag is
attempted. But it also means that the user must have 'write' and
'delete' permission on 'ipaca' objects in FreeIPA, so that it can
complete the object after CA creation in Dogtag, or clean up if that
step fails. Therefore, update the 'System: Add CA' permission to
confer 'write' and 'delete' access on 'ipaca' objects, as well as
'add' access.
Fixes: https://pagure.io/freeipa/issue/6609
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/837/head:pr837
git checkout pr837

URL: https://github.com/freeipa/freeipa/pull/937
Author: felipevolpone
Title: #937: Configuring log handlers during the input parameters validation phase
Action: opened
PR body:
"""
Previously, a log handler would be configured only after all the input parameters be validated, as can be checked in `ipapython/admintool.py::AdminTool::main`. So, any call to `logger.[warning,info,error,debug]`, during that phase, doesn't work and it also raises an exception.
Now, log handlers are setup before the input parameters validation phase.
Fixes: https://pagure.io/freeipa/issue/7071
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/937/head:pr937
git checkout pr937